Skip to content

Snowflake#

This topic describes how to connect the Snowflake application to the PrivaceraCloud using the AWS and Azure platforms.

Prerequisites#

Before connecting Snowflake application to PrivaceraCloud, you must first manually create the Snowflake warehouse, database, users, and roles required by PolicySync. For more information, see Snowflake Configuration for PolicySync.

Connect Application#

  1. Go the Setting > Applications.

  2. In the Applications screen, select Snowflake.

  3. Select the platform type (AWS or Azure) on which you want to configure the Snowflake application.

  4. Enter the application Name and Description, and then click Save.

    You can see Access Management and Data Discovery with toggle buttons.

    Note

    If you don't see Data Discovery in your application, enable it in Settings > Account > Discovery. For more information, see Discovery.

    Enable Access Management#

  5. Click the toggle button to enable the Access Management for your application.

  6. In the BASIC tab, enter the values in the given fields and click Save. For property details and description, see table below:

    Note

    Make sure that the other properties are advanced and should be modified in consultation with Privacera.

    Property Description Example
    Service name Policy Sync connector name used while configuration Policy Sync connector for Snowflake service. Service name: Snowflake
    Service JDBC URL JDBC URL connection required for connecting to Snowflake repository. Service JDBC URL: "jdbc:snowflake://testsnowflake.prod.us-west-2.aws.snowflakecomputing.com"
    Service JDBC Username The master/admin database user used by the Policy Sync process, for performing all database activities and applying the permissions on entities.

    Process includes User/Role/Group creation process, Access policies, Masking and RLF policies and for retrieving Access Audits.

    Service JDBC Username: PRIVACERA_SYNC

    Service JDBC Password Password used while creating the database user Service JDBC Password: ####
    Service database name This database is used for creating the master connection to the Snowflake service. Service database name: privacera_db
    Service warehouse name Warehouse which will be used by Policy Sync Service warehouse name: "PRIVACERA_POLICYSYNC_WH"
    Service managed global list This is used for access control of global policies like createDB , create WH. But can be skipped if not required. Service managed global list: none

    Manage database list

    Manage schema list

    Manage view list

    These three properties follow the same format.

    Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be naged by PrivaceraCloud.

    If left blank, all targets {databases, schemas, users} in the repository are managed.

    If set to none, no databases is managed.

    Accepts single name or multiple names separated by commas.

    Regular expressions (Regex) can be used. (E.g. _xx will match to names company_xx, products_xx, and so on.

    Formats:

    Database list format: database

    Schema list format: database.schema

    Table list format: database.schema.table

    View list format: database.schema.view

    Manage database list: privdb

    Manage schema list: privdb.saasdb

    Manage table list: privdb.saasdb.

    Manage view list: privdb.saasdb.

    Manage user list

    Manage groups list

    Manage roles list

    These three properties follow the same format. For each:

    Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed.

    If left blank, all targets {databases, schemas, users} in the repository will be managed.

    Accepts single name or multiple names with comma separation.

    Regular expressionscan be used; for example, xx matches names company_xx or products_xx.

    Manage user list: privuser*

    Manage groups list: priv1,priv2

    Manage roles list: privrole

    Create service user This property allows the creation of new users during policy synchronization. Create service user: true
    Service new user password The password value to be assigned to any new user created during policy synchronization. Every default new user is assigned this password. Service new user password: welcome1
    Manage service user, group, or role This property manages service users, groups, and roleis. Manage service user / group / role: true
    Ignore user list Data access user ignore list. Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud. This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control. Ignore user list:

    "admin,rangerusersync,keyadmin,rangertagsync,hive,s3,

    dynamodb,athena,glue,redshift,kinesis,lambda,mssql, adls,postgres,kafka,snowflake,powerbi,padmin"

    Prefix for User, Role, or Group

    A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. If empty no prefix will be added.

    User role prefix: "pc_user"

    Group role prefix: "pc_role_"

    Role role prefix: "pc_group_"

    Perform grant updates

    Enable/Disable Perform Grant and Revokes. If set to true, all grants will be executed.

    If false - grant updates will be dry-run and not actually executed.

    Perform grant updates: true

  7. In the ADVANCED tab, you can add custom properties.

  8. Using the IMPORT PROPERTIES button, you can browse and import application properties.

Enable Data Discovery#

Click the toggle button to enable the Data Discovery for your application.

  1. In the BASIC tab, enter values in the following fields.

    • JDBC URL
    • JDBC Username‚ÄČ
    • JDBC Password
  2. In the ADVANCED tab, you can add custom properties.

  3. Using the IMPORT PROPERTIES button, you can browse and import application properties.

  4. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

Add Data Source#

To add a resources using this connection as Discovery targets, see Discovery Scan Targets.


Last update: March 22, 2022